Static Web App, Easy Auth for EntraID, AzureADandPersonalMicrosoftAccount and on-demand ?prompt=select_account

[JasonKleban]

I want to use Entra ID with "AzureADandPersonalMicrosoftAccount" (so, aad work/school and msa personal accounts) to authenticate to my app. I can log in to my app with my current configuration.

HOWEVER - it is possible that the user has several accounts and that the logged in account is NOT the one they wish to use for my app. I want to, from within the already authenticated app, cause the log in flow with ?prompt=select_account but I cannot find a way to make this happen nor any reliable documentation about this. (Google's AI slop will tell you any damn thing, none of which work).

My explorations so far are:

1. to <a href="/.auth/login/aad?prompt=select_account">Switch accounts</a> which seems like the easiest. I'd expect the EasyAuth to recognize this query parameter and pass it along to the actual login flow. Doesn't seem to work - my . This would be the simplest. Ideally other relevant passthrough parameters would be supported.

2. use @azure/msal-node to create the full redirect url directly. This almost seems to work, but after correctly being prompted for the account, I get the "Invalid request" "Redirect Uri" not registered. I figure this is a double-hop authentication related to me supporting both AAD and MSA where the https://login.microsoftonline.com/common/v2.0 authority double-hops to login.live.com and inappropriately preserves the same redirect_uri which fails because login.microsoftonline.com doesn't have my app's callback registered as one of it's valid registered redirects (which we have no control over and wouldn't be right for this delegated login scenario anyway).

import * as msal from "@azure/msal-node";

const pca = new msal.ConfidentialClientApplication({
    auth: {
        clientId: process.env.ENTRA_CLIENT_ID!,
        authority: "https://login.microsoftonline.com/common/oauth2/v2.0/authorize" ,
        clientSecret: process.env.ENTRA_CLIENT_SECRET,
    }
});

async function getMySwitchAccountsUrl(request: HttpRequest, context: InvocationContext): Promise<HttpResponseInit> {
    return { 
        jsonBody: await pca.getAuthCodeUrl({
            scopes:["openid", "email"],
            redirectUri: `https://${process.env.EXTERNAL_DOMAIN}/.auth/login/aad/callback`,
            prompt: "select_account",
            responseMode: "form_post"
        })
    };
}

app.http('get-my-switch-accounts-url', {
    methods: ['POST'],
    authLevel: 'anonymous',
    handler: extras(getMySwitchAccountsUrl)
});

3. I've tried getting any kind of result by configuring staticwebapp.config.json (though that would be bad because it would force it on every login). Though I've found that the auth block seems to be completely irrelevant and ignored. I can comment it out/remove it entirely and the site behavior doesn't change. Other parts matter, such as the routes, navigationalFallback and responseOverrides but the auth stuff does nothing - I figure it must be using "Simple Mode" authentication. Maybe my auth block is silently failing and reverting to Simple? But anyway, I'm pretty sure this would not be a nice user experience.

  "auth": {
    "identityProviders": {
      "azureActiveDirectory": {
        "userDetailsClaim": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
        "registration": {
          "clientIdSettingName": "ENTRA_CLIENT_ID",
          "clientSecretSettingName": "ENTRA_CLIENT_SECRET",
          "openIdIssuer": "https://login.microsoftonline.com/common/v2.0" << I've tried variations of this issuer url, no change
        },
        "login": {
          "loginParameters": [
            "scope=openid email",  <<< IGNORED
            "prompt=select_account"  <<< IGNORED
        ]}
      }
    }
  },

Is it a clue that this "Custom" choice is disabled? (My Oryx build deployment log output indicates that staticwebapp.config.json is found and used)

How can we get the ?prompt=select_account behavior with EasyAuth?